fripost-ansible/roles/common-LDAP/templates/etc/ldap, branch master Fripost ansible scripts LDAP: Load dynlist overlay. 2025-02-01T12:56:14+00:00 Guilhem Moulin guilhem@fripost.org 2025-01-29T23:58:13+00:00 f647dd2265bf4c5a2903325f628774eace2011ce Looks like nextcloud 26-29 broke something in the handling of dynamic groups via memberURL attribute (and keeps repopulating the group — possibly due to paging — thereby spamming members with “An administrator removed you from group medlemmar” mails), so we expand on the slapd via slapo-dynlist(5) instead. This commit also fixes an issue with the openldap module where the index of the leftmost attribute of the DN is not necessary {0}. 
Looks like nextcloud 26-29 broke something in the handling of dynamic
groups via memberURL attribute (and keeps repopulating the group —
possibly due to paging — thereby spamming members with “An administrator
removed you from group medlemmar” mails), so we expand on the slapd via
slapo-dynlist(5) instead.

This commit also fixes an issue with the openldap module where the index
of the leftmost attribute of the DN is not necessary {0}.
LDAP: Rotate soon-to-be expired key material. 2024-09-08T18:54:00+00:00 Guilhem Moulin guilhem@fripost.org 2024-09-08T18:30:20+00:00 6b7ad809bbefc32216bac22547241ed402a570c8 Also, switch from rsa4096 to ed25519 and use a separate key for each syncrepl. 
Also, switch from rsa4096 to ed25519 and use a separate key for each
syncrepl.
LDAP: Add ACLs for group ‘styrelse’. 2020-05-21T01:45:17+00:00 Guilhem Moulin guilhem@fripost.org 2020-05-21T01:45:17+00:00 49fad9bf3a558f6eb0691b016a30ddff4a61da34 






postfix-sender-login: Better hardening.
2020-05-21T01:40:53+00:00

Guilhem Moulin
guilhem@fripost.org

2020-05-20T13:46:27+00:00

6d1daa0424c168eae4bfa9f6772add3f77ec506f

Run as a dedicated user, not ‘postfix’.





Run as a dedicated user, not ‘postfix’.







dovecot-auth-proxy: replace directory traversal with LDAP lookups.
2020-05-21T00:26:16+00:00

Guilhem Moulin
guilhem@fripost.org

2020-05-20T23:35:28+00:00

5118f8d3394579a245b355c863c69410fe92e26e

This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user.  We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.

The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).

OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around.  This is fair.





This provides better isolation opportunity as the service doesn't need
to run as ‘vmail’ user.  We use a dedicated system user instead, and
LDAP ACLs to limit its access to the strict minimum.

The new solution is also more robust to quoting/escaping, and doesn't
depend on ‘home=/home/mail/virtual/%d/%n’ (we might use $entryUUID
instead of %d/%n at some point to make user renaming simpler).

OTOH we no longer lists users that have been removed from LDAP but still
have a mailstore lingering around.  This is fair.







LDAP: Update role to Debian Buster.
2020-05-19T04:36:36+00:00

Guilhem Moulin
guilhem@fripost.org

2020-05-19T04:11:29+00:00

7249ebbf9237afe6cccb6069d8c910b4a5975cdf












s/LDAP-provider/LDAP_provider/
2020-05-19T04:07:43+00:00

Guilhem Moulin
guilhem@fripost.org

2020-05-19T04:04:47+00:00

c9ecd815b4b77a57589f3588eba6c7d8ddfac020

This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.





This was forgotten after a092bfd947773281a23419ee0ab62358371b7166.







Update 'IMAP', 'MSA' and 'LDAP-provider' roles to Debian Stretch.
2018-12-09T19:25:40+00:00

Guilhem Moulin
guilhem@fripost.org

2018-12-09T17:41:06+00:00

e2ddcfc51f66c2a52a401064eab005e793f148ee












LDAP: Expose part of the database to Nextcloud.
2018-04-04T14:07:53+00:00

Guilhem Moulin
guilhem@fripost.org

2018-04-04T14:07:53+00:00

779fc904868bb2bc3f5f73cfd225ec7655ba14cf












Don't let authenticated client use arbitrary sender addresses.
2017-05-31T23:09:00+00:00

Guilhem Moulin
guilhem@fripost.org

2017-05-31T19:42:32+00:00

6e39bad3fbe75b88fca4c2e2aad8eb51af14b1be

The following policy is now implemented:

    * users can use their SASL login name as sender address;
    * alias and/or list owners can use the address as envelope sender;
    * domain postmasters can use arbitrary sender addresses under their
      domains;
    * domain owners can use arbitrary sender addresses under their domains,
      unless it is also an existing account name;
    * for known domains without owner or postmasters, other sender addresses
      are not allowed; and
    * arbitrary sender addresses under unknown domains are allowed.





The following policy is now implemented:

    * users can use their SASL login name as sender address;
    * alias and/or list owners can use the address as envelope sender;
    * domain postmasters can use arbitrary sender addresses under their
      domains;
    * domain owners can use arbitrary sender addresses under their domains,
      unless it is also an existing account name;
    * for known domains without owner or postmasters, other sender addresses
      are not allowed; and
    * arbitrary sender addresses under unknown domains are allowed.